Real Cost of Data Breaches: The Hidden Fine Print
In a new publication from Ponemon Institute, 2017 Cost of Data Breach Study: United States, the report makes the following points:
- $3.6 million cost of an average data breach
- $141 — cost of data breach per row
A major take away point is the cost / record has come down from $208 few years ago when this study became mainstream. This makes sense as data size has grown exponentially over the years.
They say it takes 6+ months to contain a breach. It is not revealed what methodology they used to arrive to this number. You can patch a firewall hole, but once data is lost, it is gone, and people don’t change their names and date of birth every 6 months.
It also mentions that 53% of data breaches occur from production and from non-production, due to deliberate malice or negligence. This should raise alarm — half of the risk comes from inside the organization where the majority of data resides.
Three recent breaches highlight these facts.
Equifax — 143 million or perhaps every CC holder in the US had their SSN compromised. The issue was with production system patches not being applied and concealing the breach for months.
The containment of incident was even more troublesome with response being hosted on a separate site which was also vulnerable.
- Their Twitter handle relayed links to phishing URLs.
- Some privileged accounts were had default credentials ( admin/admin).
The response made Equifax a joke magnet with SM rallying against them:
Don't forget to change your name, date of birth, home address and social security number regularly.— Sarah Jamie Lewis (@SarahJamieLewis) September 7, 2017
Deloitte — They had this breach while advising everybody else on security, though their response was respectful. One notable point was that it happened on a SQL server on Azure cloud leaking tons of email with attachments and PHI/PII.
This is a first major incident involving a cloud, however, social engineering and extracting of password is being credited to this theft. Data masking in non-prod and better training could have prevented this.
The third illustration here is SEC, who says the breach happened last year when their EDGAR system had an intrusion where non-prod testing environment was targeted.
Again, notice the pattern: malicious attackers are now targeting alternate sources of data that reside in less secure environments, and audit and access controls are more lax compared to their production peers.
Noting a recent study by Economist, data is the most valuable resource in the world, and its size is increasing exponentially. Most organizations have 10 less secure copies of production data. Imagine the surface area of risk. This is the caveat which any DLP program aims to fix but lags as it is difficult to do.
Hopefully with the attacks and leaks Non-Prod data will be given its due respect. And next time someone asks what is the cost of a data breach, ask them to start by multiplying their sensitive record count by $141.